Security services often rely on log files to determine the state of a machine (e.g., whether the machine is malfunctioning). Conventionally, security services maintain event schemas (i.e., structured data objects) that identify and define elements and types within log files. Then, when attempting to determine the state of a machine, security services conventionally parse the machine's log lines to extract various elements (e.g., the IP address, a signature, the text, etc.) and map the extracted elements to elements in the event schemas. Based on information provided in the event schemas for its various elements, conventional security systems may determine the state of the machine. In other words, traditional approaches (i) take unstructured information provided in the log files of a machine, (ii) map the unstructured information into a structured schema format, and (iii) form a conclusion about the state of the machine based on information provided in the schema.
Thus, in traditional approaches, in order to derive information about the state of a machine from a particular log line, the particular log line must have been previously analyzed and added to a schema. As such, an event schema created for a certain product may not be used for other (e.g., newly created) products (i.e., whose log lines vary from the log lines of the certain product) or even for an updated version of the certain product. The instant disclosure, therefore, identifies and addresses a need for systems and methods for using log lines to analyze computer stability issues that abandons the rigidity imposed by traditional event schema approaches.